Important: Contrary to the “Brakeman Philosophy,” there is one situation in which Brakeman attempts to load files from an application. This is a security risk since the code in the files would be executed (typical
require behavior). Note that this is only a real problem if running Brakeman against code outside one’s control. Since most users are scanning their own code, this should not be a concern for the majority of Brakeman users.
Changes since 2.1.1:
- Do not attempt to load custom Haml filters
- Do not warn about
to_jsonXSS in Rails 4
- Remove fuzzy matching on dangerous
- Add –table-width option to set width of text reports (ssendev)
Custom Haml Filters
Brakeman no longer attempts to load custom Haml filters. This was a hack (from nearly three years ago) to help compile some Haml templates. It was recently noted that this introduces a security risk when scanning untrusted code.
For now, custom Haml filters will cause a Brakeman error and the Haml templates using them will not be scanned.
JSON Output in Rails 4
As of Rails 4, the output of
to_json is now safe by default. Brakeman should no longer warn about cross-site scripting with
to_json in Rails 4 applications.
Less Fuzzy Mass Assignment
Brakeman no longer uses fuzzy matching for potentially dangerous model attributes allowed for mass assignment, such as any value containing
Text Report Width Option
The width of text reports can now be controlled with the
--table-width option. For example, this can be useful when capturing text output to a file.